Why Critical Vulnerabilities Do Not Get Reported In The CVE/NVD Databases And How Organisations Can Mitigate The Risks

By   Sivan Nir
Senior Analyst , Skybox Security Research Lab | Sep 24, 2018 02:30 am PST

A failure to report high-severity vulnerabilities often happens with open-source projects — vulnerabilities are discovered, disclosed to relevant parties and (hopefully) fixed without anyone filing a CVE request. It usually boils down to a lack of awareness or is viewed as overly burdensome to submit the CVE request.

In 2017, around 7,000 CVE-IDs assigned by the CVE Numbering Authorities (CNAs) has a reserved status where an ID is allocated but not updated with important details. This is especially surprising considering that 1,342 of them had already been publicly disclosed, and thus more likely to have exploits developed. This practice of reversal points to two main issues: first, NVD and Mitre not maintaining their data adequately, and second, that some of the CNAs are possibly not sharing their information properly.

For organisations who have implemented open-source projects that are common breeding grounds for unreported vulnerabilities, they could inspect a them for vulnerabilities on their own, but this would be incredibly time consuming and hard to do at scale. Attackers, on the other hand, can inspect popular library projects and find those issues fairly easily. Developing an exploit for such vulnerabilities would have a potentially wide reach.

Security tools such as vulnerability scanners that rely solely on CVE for vulnerability identification and details are likely to miss a large number of potential attack vectors in corporate networks, giving security teams only a partial view of their risk. Organisations need vulnerability management solutions that go beyond scanners and leverage other data sources than just NVD to discover vulnerabilities in their organisation.

More importantly, once identified, vulnerabilities should be analyzed in the context of potential business impact of an exploit, exposure within the network and exploit availability and activity in the wild. This way, vulnerability remediation can focus on eliminating risk to the organisation rather than trying to chase critical-severity vulnerabilities unlikely to be used in an attack.